b'OFFICE OF INSPECTOR GENERAL\n\n               Audit Report\nFiscal Year 2007 Evaluation of Information Security\n         at the Railroad Retirement Board\n\n\n                Report No. 07-08\n               September 27, 2007\n\n\n\n\n   RAILROAD RETIREMENT BOARD\n\x0c                                  INTRODUCTION\n\nThis report presents the results of the Office of Inspector General\xe2\x80\x99s (OIG) evaluation\nof information security at the Railroad Retirement Board (RRB).\n\nBackground\n\nThe RRB administers the retirement/survivor and unemployment/sickness insurance\nbenefit programs for railroad workers and their families under the Railroad\nRetirement Act (RRA) and the Railroad Unemployment Insurance Act (RUIA).\nThese programs provide income protection during old age and in the event of\ndisability, death, temporary unemployment or sickness. The RRB paid over $9.5\nbillion in benefits during fiscal year (FY) 2006. Also in FY 2006, the RRB reported\nover 522,000 Medicare enrollees for which 11.7 million Medicare Part B claims\ntotaling more than $900.5 million were paid. The RRB is headquartered in Chicago,\nIllinois, and has 53 Field Offices and 3 Regional Offices across the nation.\n\nThe RRB\xe2\x80\x99s information system environment consists of six major application\nsystems and two general support systems, each of which has been designated as a\nmoderate impact system in accordance with standards and guidance promulgated\nby the National Institute of Standards and Technology (NIST). The major application\nsystems correspond to the RRB\xe2\x80\x99s critical operational activities, including RRA benefit\npayments, RUIA benefit payments, maintenance of railroad employee compensation\nand service records, administration of Medicare entitlement, financial management,\nand the RRB\xe2\x80\x99s financial interchange with the Social Security Administration. The\ntwo general support systems comprise the mainframe computer and the end-user\ncomputing systems.\n\nThis evaluation was conducted pursuant to Title III of the E-Government Act of 2002,\nthe Federal Information Security Management Act of 2002 (FISMA), which requires\nannual agency program reviews, Inspector General security evaluations, an annual\nagency report to the Office of Management and Budget (OMB), and an annual OMB\nreport to Congress. FISMA also establishes minimum requirements for the\nmanagement of information security in nine areas.\n\n     \xc2\xbe   Risk Assessment\n     \xc2\xbe   Policies and Procedures\n     \xc2\xbe   Testing and Evaluation\n     \xc2\xbe   Training\n     \xc2\xbe   Security Plans\n     \xc2\xbe   Remedial Action Process\n     \xc2\xbe   Incident Handling and Reporting\n     \xc2\xbe   Continuity of Operations\n     \xc2\xbe   Inventory of Systems\n\nInformation security means protecting information and information systems from\nunauthorized access, use, disclosure, disruption, modification or destruction in order\n\n                                           1\n\x0cto provide confidentiality, integrity, and availability. The Bureau of Information\nServices, under the direction of the Chief Information Officer is responsible for the\nRRB\xe2\x80\x99s information security and privacy programs. FISMA requires agencies to\nreport any significant deficiency in policy, procedure, or practice as a material\nweakness in reporting under the Federal Managers\xe2\x80\x99 Financial Integrity Act. 1\n\nThe OIG previously evaluated information security at the RRB during FYs 2000\nthrough 2006, and reported weaknesses throughout the RRB\xe2\x80\x99s information security\nprogram. 2 The OIG also cited the agency with significant deficiencies in access\ncontrols in the mainframe and end-user computing environments, training provided\nto staff with significant security responsibilities, and delays in meeting FISMA\nrequirements for both risk assessments and periodic testing and evaluation. During\nFY 2006, the agency completed corrective action to eliminate the previously\nreported significant deficiency in training.\n\nDuring FY 2007, the agency formed two new committees to help manage\ninformation security and privacy related issues. The Information Security and\nPrivacy Committee is responsible for facilitating the implementation of FISMA and\nthe E-Government Act and for ensuring agency-wide compliance with the Acts. The\ncommittee is also involved in privacy management compliance. The Agency Core\nResponse Group is responsible for conducting a risk analysis to determine whether\na loss of personal information resulting from a data breach poses identity theft\nproblems. The agency\xe2\x80\x99s response to the data breach will be contingent upon the\nnature and scope of the risk identified by the committee.\n\n\nObjective, Scope and Methodology\n\nThis evaluation was performed to meet FISMA requirements for an annual OIG\nevaluation of information security that includes:\n\n      1. testing the effectiveness of information security policies, procedures, and\n         practices of a representative subset of the agency\xe2\x80\x99s information systems; and\n\n      2. assessing the RRB\xe2\x80\x99s compliance with FISMA requirements and related\n         information security policies, procedures, standards, and guidelines.\n\nTo meet the first requirement, the OIG audited the application controls of the Daily\nActivity Input System/Checkwriting Integrated Computer Operation component\napplication of the RRA benefit payment major application, the state wage match data\ntransmission controls, the federal income taxes withheld from railroad retirement\nannuities, and the controls to safeguard sensitive personally identifiable information.\n1\n  A significant deficiency is a weakness in an agency\xe2\x80\x99s overall information systems security program,\nmanagement control structure, or within one or more information systems that significantly restricts\nthe capability of the agency to carry out its mission or compromises the security of its information,\ninformation systems, personnel, or other resources, operations, or assets.\n2\n    OIG audit reports are maintained on the RRB website at http://www.rrb.gov/oig/library.asp.\n\n                                                    2\n\x0cThe OIG also evaluated the RRB\xe2\x80\x99s privacy program, and began an evaluation of the\ninformation security for the financial interchange major application. These reviews\nwere conducted in FY 2007.\n\nTo meet the second requirement, we considered the results of prior audits and\nevaluations of information security during FYs 2000 through 2006, including the\nstatus of related recommendations for corrective action. We also obtained and\nreviewed documentation supporting the RRB\xe2\x80\x99s performance in meeting FISMA\nrequirements and interviewed responsible agency management and staff. Lastly,\nwe examined documentation for one of the RRB\xe2\x80\x99s contractor operations to\ndetermine whether controls were designed to meet FISMA requirements. 3 Our tests\nof contractor operations did not include an assessment of whether the controls were\noperating or effective.\n\nThe primary criteria for this evaluation included:\n\n    \xe2\x80\xa2   FISMA requirements;\n    \xe2\x80\xa2   OMB Circular A-130, \xe2\x80\x9cManagement of Federal Information Resources\xe2\x80\x9d; and\n    \xe2\x80\xa2   NIST standards and guidance.\n\nOur work was performed in accordance with generally accepted government\nauditing standards as applicable to the objective. Fieldwork was conducted at RRB\nheadquarters in Chicago, Illinois from May through September 2007.\n\n\nScope Limitation Caused by Appropriation Restrictions\n\nFISMA requires an annual OIG evaluation of the agency\xe2\x80\x99s information security\nprogram and practices which includes all agency general support and major\napplication systems, including the Medicare program. However, we cannot fulfill our\nFISMA oversight mandates because we are prevented by law from reviewing the\nagency\xe2\x80\x99s Medicare program which includes over 522,000 enrollees with claims\ntotaling more than $900.5 million. This paradox results from long-standing\nrestrictions on OIG appropriations dating back to 1997.\n\nIn FY 1999, P.L. 105-277 made the restriction on OIG appropriations permanent\nwhen the section entitled \xe2\x80\x9cLimitation on the Office of Inspector General\xe2\x80\x9d stated:\n\n        \xe2\x80\x9c\xe2\x80\xa6 none of the funds made available under this heading in this Act,\n        or subsequent Departments of Labor, Health and Human Services,\n        and Education, and Related Agencies Appropriations Acts, may be\n        used for any audit, investigation, or review of the Medicare Program.\xe2\x80\x9d\n        [Emphasis added.]\n\n\n\n3\n  FISMA establishes minimum security requirements for all agency operations and assets. These\nrequirements are listed in NIST Special Publication (SP) 800-53.\n\n                                               3\n\x0cAs of the end of FY 2007, the OIG has included all of the RRB\xe2\x80\x99s general support\nsystems and major applications in their FISMA evaluations, except the\nadministration of Medicare entitlements as proscribed by appropriation law. Since\nthe OIG is prevented from applying appropriation funds for any audit, investigation,\nor review of the RRB\xe2\x80\x99s Medicare program, a scope limitation results from the OIG\xe2\x80\x99s\ninability to perform its FISMA oversight mandates.\n\nAdditionally, the OIG has previously cited the RRB with a significant deficiency in\nperiodic testing and evaluations because the RRB has failed to implement a\nconsistent, FISMA compliant process which includes evaluating the effectiveness of\ninformation security policies, procedures, and practices. We believe this deficiency\nextends to the RRB\xe2\x80\x99s Medicare program.\n\n\n\n\n                                          4\n\x0c                            RESULTS OF EVALUATION\n\nThe RRB has not yet achieved an effective FISMA compliant security program. The\nagency is addressing its significant deficiencies in the previously reported areas of\naccess controls, risk assessments, and periodic testing and evaluation; however,\nmuch work remains to be completed. Additionally, other observed weaknesses in\nthe agency\xe2\x80\x99s implementation of requirements for risk based policies and procedures,\na NIST compliant certification and accreditation program, the identification of\ncontractors, an effective remedial action process, the continuity of operations, and\nthe inventory of systems continue to exist.\n\nThe details of our assessment of agency progress in complying with FISMA\nrequirements and a summary of the weaknesses identified during our FY 2007\nevaluation of information security, including recommendations for corrective action,\nfollow. Agency management has agreed to take the recommended corrective\nactions for all recommendations except Recommendation 6 for which we have made\nan alternative recommendation. The full text of management\xe2\x80\x99s responses is\nincluded in this report as Appendices I and II.\n\n\nAccess Controls\n\nThe design and implementation of access controls in the RRB\xe2\x80\x99s general support and\napplication systems is not adequate to meet minimum standards of least privilege\nestablished by OMB Circular A-130, Appendix III. Least privilege is the practice of\nrestricting a user\xe2\x80\x99s access or type of access to the minimum necessary to perform\nhis or her job.\n\nIn its FY 2001 evaluation of information security (and confirmed by technical\nspecialists under contract to the OIG), the OIG cited the agency with a significant\ndeficiency in this area and made several recommendations. Weaknesses included:\n\n    \xe2\x80\xa2   inadequate management of user accounts and passwords,\n    \xe2\x80\xa2   the inability to support detailed security evaluations of LAN user accounts\n        and privileges using existing facilities, and\n    \xe2\x80\xa2   a process of reviewing and re-authorizing access to some mainframe\n        component applications that was not fully effective.\n\nDuring FYs 2004 and 2005 the OIG, and technical specialists under contract to the\nOIG, performed detailed tests of user privileges in the mainframe and end-user\ncomputing general support systems. That testing also found that employees had\nbeen granted privileges in excess of those required for their job functions. Additional\nrecommendations in the area of access control were made, bringing the total\n\n\n\n\n                                           5\n\x0cnumber of recommendations in this area to 31. As of August 1, 2007, the agency\nhas fully implemented 9 of the recommendations, resulting in 22 that require further\ncorrective action. 4\n\nOur FY 2007 review of security configuration policies governing all domain servers\nand desktops showed that some settings still include default privileges to global\ngroups that allow excessive access. We also noted that an individual whose\naccount is currently inactive is also defined within the group policy object. These\nsettings violate the principle of least privilege and good security management\npractices. Excessive rights and privileges weaken the overall information security\nprogram. Previously, we reported that the RRB does not have an agency-wide\nsecurity configuration policy, and recommended that one be developed. 5 The\nagency has not yet addressed this recommendation.\n\nRecommendation\n\n      1. We recommend that the Bureau of Information Services review the privileges\n         defined in the group policy objects, and remove global groups that allow\n         excessive access and individually defined inactive accounts.\n\nManagement\xe2\x80\x99s Response\n\nThe Bureau of Information Services concurs with the recommendation and will\nprepare a plan to address the group policy, remove global groups, and establish\norganizational unit groups.\n\n\nCertification and Accreditation\n\nThe OIG cited the RRB with a deficiency in implementing a NIST compliant\ncertification and accreditation program in FY 2003. We found that existing agency\nprocedures for authorizing the processing of information systems were not adequate\nto meet requirements because they did not place responsibility at a high enough\nlevel of agency management and were not supported by adequate risk assessment\nand testing processes.\n\n\n4\n    OIG Report No. 02-04, Recommendation 13, 20, and 21.\n    Blackbird Technologies, Inc., report dated 07/20/01, Recommendation 5.\n    Blackbird Technologies, Inc., report dated 08/17/01, Recommendations 5a, 5b, and 5c.\n    OIG Report No. 04-07, Recommendations 1, and 3.\n    OIG Report No. 04-08, Recommendation 1.\n    OIG Report No. 04-09, Recommendations 1, and 3.\n    OIG Report No. 05-08, Recommendations 10, and 11.\n    DSD LAN Report dated 06/07/05, Recommendations 6, 7, 8, and 9.\n    DSD SCAN Report dated 06/07/05, Recommendations 1 and 6.\n    DSD WEB Report dated 06/07/05, Recommendations 13 and 16.\n5\n    OIG Report No. 05-11, Recommendation 1.\n\n\n                                                   6\n\x0cOMB Circular A-130, Appendix III requires that agency management authorize\nsystems for processing based on the formal technical evaluation of the\nmanagement, operational, and technical controls. 6 In May 2004, NIST released\nSpecial Publication (SP) 800-37, \xe2\x80\x9cGuide for the Security Certification and\nAccreditation of Federal Information Systems\xe2\x80\x9d which provides guidelines for security\ncertification and accreditation of information systems supporting the executive\nagencies of the Federal government. NIST SP 800-37 provides that security\naccreditation should be given by a senior agency official who has authority to\noversee the budget and business operations of the information system. 7\n\nAgency management rejected the OIG\xe2\x80\x99s recommendation to develop a formal\ncertification and accreditation process when it was first offered in FY 2003, but\nagreed to implement the recommendation when it was again offered in FY 2004. 8\nElsewhere in this report we discuss the significant deficiencies in the RRB\xe2\x80\x99s risk\nassessment and testing and evaluation processes which are critical elements of\ncertification and accreditation.\n\nDuring FY 2007, the agency contracted with technical specialists to assist in the\ncertification and accreditation of the RRB\xe2\x80\x99s end-user computing general support\nsystem. Certification and accreditation of the RRB\xe2\x80\x99s mainframe computing general\nsupport system and each of the six major applications are expected to begin\nfollowing the completion of the end-user computing accreditation. The contract\nincludes the preparation of risk assessments, updated security plans, security\ntesting and evaluations, and a Plan of Action and Milestones (POAM) for each\nsystem reviewed.\n\nRecommendation\n\nAgency action to implement prior OIG recommendations for corrective action is\npending; the OIG has no additional recommendations to offer at this time.\n\n\nRisk Assessment\n\nThe RRB has not implemented an effective risk assessment process including\ndocumentation of agency determinations regarding risk. A risk assessment process\nis a critical component of a NIST compliant certification and accreditation process.\n6\n The terms certification and accreditation are synonymous with the formal technical evaluation of the\ncontrols and the authorization of the information system for processing, respectively.\n7\n  NIST SP 800-37 functionally replaced Federal Information Processing Standard 102, \xe2\x80\x9cGuideline for\nComputer Security Certification and Accreditation,\xe2\x80\x9d dated September 1983. That standard stated that\n\xe2\x80\x9caccrediting officials must possess authority to allocate resources to achieve acceptable security and\nto remedy security deficiencies.\xe2\x80\x9d Therefore, NIST SP 800-37 continues to prescribe information\nsystem accreditation at a level of management consistent with long-standing requirements.\n8\n    OIG Report No. 03-10, Recommendation 6.\n    OIG Report No. 04-11, Recommendation 9.\n\n\n                                                  7\n\x0cOrganizations use risk assessments to determine the potential threats to information\nand information systems and to ensure that the greatest risks have been identified\nand addressed.\n\nFISMA requires federal agencies to periodically assess the risk and magnitude of\nharm that could result from unauthorized access, use, disclosure, disruption,\nmodification, or destruction of information or information systems.\n\nThe OIG first reported in FY 2002 that the RRB\xe2\x80\x99s risk assessment process was\nmade in connection with management control reviews performed for the Federal\nManagers\xe2\x80\x99 Financial Integrity Act of 1982. At that time, we reported that the reviews\nmay or may not include security-related control objectives and techniques.\n\nIn our FY 2005 FISMA report, the OIG cited the agency with a significant deficiency\nin this area because the agency had made little progress in implementing a formal\nrisk assessment process in accordance with NIST guidance. We also\nrecommended that the agency complete formal risk assessments of the major\napplication and general support systems in accordance with NIST guidance. 9 While\nthe agency drafted a risk assessment methodology in FY 2006, that document has\nnot yet been approved, adopted, or implemented.\n\nDuring FY 2007, the agency contracted with technical specialists to assist in the\ncertification and accreditation of the RRB\xe2\x80\x99s end-user computing general support\nsystem, including the completion of a formally documented, NIST compliant, risk\nassessment. Similar actions for the RRB\xe2\x80\x99s mainframe computing general support\nsystem and each of the six major applications are expected to begin following the\ncompletion of the contract for end-user computing.\n\nRecommendation\n\nAgency action to implement prior OIG recommendations for corrective action is\npending; the OIG has no additional recommendations to offer at this time.\n\n\nTesting and Evaluation\n\nThe RRB has not yet implemented a consistent, FISMA compliant, testing and\nevaluation process.\n\nFISMA requires periodic testing and evaluation of the effectiveness of information\nsecurity policies, procedures, and practices performed with a frequency depending\non risk, but no less than annually. The periodic tests and evaluation must include\ntesting of management, operational, and technical controls for every system\nidentified in the agency\xe2\x80\x99s inventory of systems. NIST SP 800-53A, \xe2\x80\x9cGuide for\nAssessing the Security Controls in Federal Information Systems,\xe2\x80\x9d provides\nprocedures for assessing the effectiveness of security controls employed in Federal\n9\n    OIG Report No. 05-08, Recommendation 4.\n\n                                              8\n\x0cinformation systems and directly supports the security certification and accreditation\nprocess.\n\nThe OIG previously reported that RRB tests did not meet FISMA requirements\nbecause they did not include all major application systems and were not\ncomprehensive with respect to all three categories of controls: management,\noperational, and technical. Additionally, the agency had not consistently performed\ntests of contractor operations. We recommended that management act to ensure\nperiodic independent evaluations of system security for major applications, as well\nas the quality of security self-assessments. 10\n\nIn our FY 2005 FISMA report, the OIG cited the agency with a significant deficiency\nin this area because the agency had made little progress in implementing a\ncompliant periodic testing and evaluation process.\n\nIn FY 2006, the Bureau of Information Services incorporated a subset of the NIST\nSP 800-53A procedures as a test plan for common controls which are not specific to\nany one major application or general support system, and began testing. The\ncommon controls address the development of policies and procedures, continuity\nplanning, incident response, physical environment security, and personnel security.\nIn FY 2007, they completed their test. However, they did not incorporate the RRB\xe2\x80\x99s\nregional and field offices in the test. Since each field office location has its own\nserver containing agency information, the results of the common control tests\npertaining to physical security are impacted by field office omission.\n\nDuring FY 2007, the agency contracted with technical specialists to assist in the\ncertification and accreditation of the RRB\xe2\x80\x99s end-user computing general support\nsystem, including the completion of security tests and evaluations. Similar actions\nfor the RRB\xe2\x80\x99s mainframe computing general support system and each of the six\nmajor applications are expected to begin following the completion of the contract for\nend-user computing. However, that contract only requires contractor employees \xe2\x80\x9cto\nperform their necessary services at the RRB headquarters facility, located in\n`Chicago, Illinois.\xe2\x80\x9d Therefore, it does not appear that those test procedures will\ninclude any physical environment tests of the RRB\xe2\x80\x99s regional and field offices.\n\nThe lack of testing outside of RRB headquarters may result in weaknesses that will\ngo undetected, increasing the RRB\xe2\x80\x99s risk that information and information systems\nare not protected from unauthorized access, use, disclosure, disruption, modification\nor destruction. As a result, the RRB cannot ensure the confidentiality, integrity, or\navailability of agency information.\n\n\n\n\n10\n     OIG Report No. 02-04, Recommendation 3.\n     OIG Report No. 03-02, Recommendations 1, 2, 3, and 4.\n\n                                                  9\n\x0cRecommendation\n\n       2. We recommend that the Bureau of Information Services extend their test and\n          evaluation plans to include agency information and information systems\n          located outside of RRB headquarters, including regional and field offices.\n\nManagement\xe2\x80\x99s Response\n\nThe Bureau of Information Services concurs with the recommendation and will\ndevelop guidance for the regional, field, and headquarters office managers on how\nto perform security assessments to validate whether adequate physical,\nenvironmental and information security controls are in place.\n\n\nPolicies and Procedures\n\nThe RRB\xe2\x80\x99s policies and procedures continue to need improvement to ensure that\nthey are comprehensive and effective in all areas of the agency\xe2\x80\x99s information\nsecurity and privacy programs.\n\nFISMA requires that agencies include risk-based policies and procedures that cost-\neffectively reduce risks to an acceptable level and ensure that information security\n(which includes the confidentiality, integrity, and availability of information) is\naddressed throughout the life cycle of each information system.\n\nDuring FY 2007, the OIG conducted several reviews which disclosed the need for\nadditional policies, procedures, and practices to address information security and\nprivacy weaknesses. 11\n\nRecommendation\n\nAgency action to implement prior OIG recommendations for corrective action is\npending; the OIG has no additional recommendations to offer at this time.\n\n\nTraining\n\nThe RRB has met the FISMA requirement for information security training for\nemployees, but needs improvement in identifying contractors. Our review of security\n\n11\n     OIG Report No. 07-02, Recommendations 1, 2, 3, 4, and 5.\n     OIG Memorandum No. 07-02m, Recommendation 1.\n     OIG Report No. 07-04, Recommendations 1, 2, 3, 4, 5, and 6.\n     OIG Report No. 07-06, Recommendations 1, 2, 3, 4, 5, 6, 7, 8, 9,10, 11, 12, 13, 14, 15, 16, and 17.\n     OIG Report No. 07-07, Recommendations 2, 3, and 4.\n\n  Additionally, our audit of controls to safeguard sensitive personally identifiable information with 22\nrecommendations is pending management\xe2\x80\x99s response to the draft report.\n\n\n                                                    10\n\x0cawareness training provided to employees and contractors showed that the\nmethodology used by the Bureau of Information Services to identify contractors for\nsecurity awareness training is ineffective. As a result of our discussions with agency\npersonnel concerning the methods used by them to identify contractors for training,\nthe number of contractors notated on the agency\xe2\x80\x99s training control log doubled\nduring the month of August 2007. Most of these contractors had obtained their\nsystem access prior to January 2007. Previously, in our review of the agency\xe2\x80\x99s\nprivacy program, we reported a similar weakness regarding unidentified contractors\nwith access to personally identifiable information, and made recommendations to\nimprove that program. 12\n\nFISMA requires agencies to provide security awareness training to employees,\ncontractors, and other users of information systems. In addition to security\nawareness training, agencies are required to provide appropriate training on\ninformation security to personnel with significant security responsibilities. The RRB\nhas developed a security awareness training pamphlet, Form RRB G-15, which\nprovides an overview of the RRB\xe2\x80\x99s policies and procedures for information security.\nPersonnel are required to sign Form G-15a to acknowledge that they have read and\nunderstand this pamphlet. Annual refresher training may, or may not, consist of\nreviewing this pamphlet as other areas of concentration may be desired by agency\nmanagement.\n\nThe procedure used by the Bureau of Information Services to identify contractors for\ntraining only considers those contractors for whom email addresses are known.\nAdditionally, agency personnel did not keep records of any attempts to identify\ncontractors for whom email addresses were unknown. Good sources of contractor\ninformation can be found in access control lists, contract files and discussions with\nthe Contracting Officer\xe2\x80\x99s Technical Representatives, and through the compiled\nresults of prior reviews.\n\nSecurity awareness training informs users of their duties and responsibilities in\ncomplying with agency policies and procedures to reduce risks associated with\ninformation security. Untrained contractors pose additional risks because their\ncorporate culture may not be aligned with agency policy, procedures, and rules of\nbehavior.\n\nRecommendations\n\n      3. We recommend that the Office of Administration revise the Contracting\n         Officer\xe2\x80\x99s Technical Representative instructional letter to include a requirement\n         for all new contractor employees to receive the security awareness training\n         pamphlet, Form RRB G-15, and to obtain the written acknowledgement from\n         them via Form G-15a.\n\n      4. We recommend that the Bureau of Information Services compile and maintain\n         comprehensive listings of all contractors for future annual refresher training by\n12\n     OIG Report No. 07-06, Recommendations 11, 12, and 14.\n\n                                               11\n\x0c          implementing a procedure to use all available sources of identification,\n          including access control lists and contract files.\n\nManagement\xe2\x80\x99s Responses\n\nThe Office of Administration concurs with the recommendation and will revise the\nContracting Officer\xe2\x80\x99s Technical Representative instructional letter.\n\nThe Bureau of Information Services concurs with the recommendation and will\ndevelop procedures to maintain a comprehensive listing of all contractors in time for\nthe next annual cycle of awareness training.\n\n\nSecurity Plans\n\nFISMA requires that agencies maintain subordinate plans for providing adequate\ninformation security for networks, facilities, and systems or groups of information\nsystems. The RRB has developed and maintains such plans.\n\nIn FY 2007, the agency contracted with technical specialists to assist in the\ncertification and accreditation of the RRB\xe2\x80\x99s end-user computing general support\nsystem, including the completion of an updated security plan. Similar actions for the\nRRB\xe2\x80\x99s mainframe computing general support system and each of the six major\napplications are expected to begin following the completion of the end-user\ncomputing contract.\n\n\nRemedial Action Process\n\nThe RRB\xe2\x80\x99s remedial action process continues to be ineffective in identifying and\nprioritizing all weaknesses in the agency\xe2\x80\x99s information security and privacy\nprograms.\n\nFISMA requires Federal agencies to maintain a process for planning, implementing,\nevaluating, and documenting remedial action to address any deficiencies in the\ninformation security policies, procedures, and practices of the agency. OMB\nrequires agencies to develop a formal POAM to identify vulnerabilities in information\nsecurity and privacy, and to track the progress of corrective action. Each year, OMB\nrequires the OIG to assess the agency\xe2\x80\x99s POAM as part of the FISMA reporting\nprocess.\n\nThe OIG first criticized the RRB\xe2\x80\x99s POAM in FY 2003 as ineffective in articulating\nweaknesses and planning corrective actions. We recommended that the RRB\nreview and revise the POAM to include items that were missing. The RRB rejected\nthe recommendation stating the POAM was for internal agency purposes and did not\nrequire revision to track remedial actions. 13\n13\n     OIG Report No. 03-11, Recommendation 1.\n\n                                               12\n\x0cIn FY 2005, we again reported that the existing POAM was not comprehensive with\nrespect to identifying weaknesses. We also reported that it was not driven by\ninternal risk assessments and control evaluations and did not demonstrate\nprioritization of agency plans and efforts to correct the weaknesses found. We\nrecommended that the RRB review and revise its remedial action process to ensure\nthat all security weaknesses are included and to ensure that the POAM\ndemonstrated the prioritization of agency remediation efforts. 14 The RRB responded\nthat they found the POAM \xe2\x80\x9cto be a cumbersome document to maintain and update\xe2\x80\x9d\nbut agreed to modify it \xe2\x80\x9cto reflect outstanding security recommendations \xe2\x80\xa6 with\nsufficient summarized detail to permit oversight and tracking of agency remediation\nprogress.\xe2\x80\x9d\n\nIn FY 2007, we reported that the agency was not preparing action plans for their\nprivacy-related weaknesses, and as a result those weaknesses were not being\nincorporated into the existing POAM. We recommended that the agency develop\nappropriate action plans and update the POAM for all privacy-related weaknesses. 15\nThe RRB has only agreed to include significant privacy-related weaknesses.\n\nOur current assessment of the existing POAM shows that the agency continues to\nomit many known weaknesses identified either through OIG reviews or through\nagency reviews. As a result, agency efforts to date have been insufficient in\ncorrecting POAM deficiencies.\n\nRecommendation\n\nAgency action to implement prior OIG recommendations for corrective action is\npending; the OIG has no additional recommendations to offer at this time.\n\n\nIncident Handling and Reporting\n\nThe RRB\xe2\x80\x99s incident handling and reporting program is generally effective in ensuring\nthe confidentiality, integrity, and availability of the agency\xe2\x80\x99s information and\ninformation technology.\n\nFISMA mandates that Federal agencies develop, document, and implement\nprocedures for detecting, reporting, and responding to security incidents as part of\nits agency-wide information security program.\n\nIn FY 2006, the OIG performed a detailed review of the RRB\xe2\x80\x99s incident handling and\nreporting program and found that agency\xe2\x80\x99s overall efforts were sufficient to meet the\nrequirements established by FISMA. We did, however, recommend some areas\nwhere program management could be improved. 16\n\n14\n   OIG Report No. 05-11, Recommendation 3.\n15\n   OIG Report No. 07-06, Recommendation 15.\n16\n   OIG Report No. 06-09, Recommendations 1, 2, 3, 4, 7, 8, 9, and 10.\n\n                                                13\n\x0cRecommendation\n\nAgency action to implement prior OIG recommendations for corrective action is\npending; the OIG has no additional recommendations to offer at this time.\n\n\nContinuity of Operations\n\nThe agency\xe2\x80\x99s disaster recovery plan provides assurance that most of the agency\xe2\x80\x99s\nmajor information technology functions would be operational in the event of a\ndisaster, but the plan does not provide reasonable assurance that the agency will be\nable to recover from a disaster and perform its critical business functions in a timely\nmanner. Additionally, procedures do not ensure the protection of sensitive\ninformation.\n\nFISMA requires Federal agencies to implement plans and procedures to ensure\ncontinuity of operations for information systems that support the operations and\nassets of the agency.\n\nHistorically, the RRB has provided for semi-annual off-site recovery testing of the\ntwo general support systems and the mainframe databases of its major application\nsystems. The RRB generally also tests some of the major application batch\nprocesses, and LAN connectivity. However, the RRB has never tested the\nContinuity of Operations Plan which ensures business continuity. In FY 2006, the\nOIG recommended such testing, as well as other continuity of operations procedures\nand practices. 17 Additionally, we had previously recommended that the agency\nupdate its overall disaster recovery plan, which is still pending. 18\n\nIn FY 2007, the RRB performed a desk examination of the Continuity of Operations\nPlan. This consisted mainly of having team members read a training document,\nupdate the team rosters, and verify that the plan procedures are correct.\n\nAt the time of our FISMA evaluation, the RRB had also performed one of the two\nscheduled off-site recovery tests. Our review of the test\xe2\x80\x99s results show that the RRB\ndid not adequately dispose of all data packs containing sensitive information. We\nwere told that the time allotted for off-site testing had lapsed, so the Bureau of\nInformation Services personnel left the test site without clearing the data packs.\nInstead, they left the removal of sensitive information to the off-site disaster recovery\nvendor. As a result, the RRB lost control of their sensitive information and cannot\ndetermine whether the data was inappropriately accessed or compromised by an off-\nsite vendor employee.\n\nWe also reviewed the results of all off-site test results since FY 2001, and noted that\none of the RRB\xe2\x80\x99s major applications (Financial Interchange) has never been tested\n\n17\n     OIG Report No. 06-08, Recommendations 2, 4, 5, and 6.\n18\n     OIG Report No. 02-04, Recommendation 6.\n\n                                                14\n\x0coff-site, and another RRB major application (Financial Management) has not been\ntested off-site since FY 2002. As a result, the RRB cannot ensure that the\nprocedures for recovering these two major applications are operable or effective.\n\nRecommendations\n\nWe recommend that the Bureau of Information Services:\n\n   5. Schedule enough time following off-site testing to ensure all data packs\n      containing sensitive information are cleared before leaving the test site. In\n      the unfortunate chance that test time may lapse, a responsible Bureau\n      employee should stay to observe the clearing of the disk packs to ensure no\n      compromise of sensitive information occurs.\n\n   6. Schedule the major application systems for off-site testing to ensure that all\n      major applications are tested on a rotational basis in a reasonable amount of\n      time.\n\nManagement\xe2\x80\x99s Responses\n\nThe Bureau of Information Services concurs with Recommendation 5 and will set\naside a specific amount of time to scrub the data from the disk packs at the next\ndisaster recovery test. They have also obtained permission to stay past the\ncontracted time, if necessary, to accomplish this task. Additionally, the Bureau of\nInformation Services will pursue a more permanent solution and update their\nprocedures accordingly.\n\nFor Recommendation 6, the Bureau of Information Services agrees, in theory, that it\nis appropriate for all major application systems to be involved in recovery off-site\ntesting, but that they cannot force system owner participation in such exercises. The\nBureau of Information Services has agreed, however, to develop a procedure to\ndocument solicitations to participate in off-site testing, and document system owner\nresponses.\n\nOIG\xe2\x80\x99s Comments on Management\xe2\x80\x99s Response\n\nThe Bureau of Information Services has indicated that they cannot agree to\nRecommendation 6 because they \xe2\x80\x9ccannot force participation in such exercises by\nsystems owners.\xe2\x80\x9d Disaster recovery testing is a critical part of any information\nsecurity program. Accordingly, we believe that the Chief Information Officer should\nseek the required authority from the agency\xe2\x80\x99s three-member Board. If such authority\nis not forthcoming, we offer the alternative recommendation that the Chief\nInformation Officer develop a procedure to advise the agency\xe2\x80\x99s Executive\nCommittee and/or three-member Board of the history and status of disaster recovery\ntesting for the various major application systems.\n\nA continued inability to obtain a change of behavior among system owners will be\nconsidered a significant deficiency in future FISMA evaluations. The\n                                          15\n\x0crecommendation will remain in the OIG\xe2\x80\x99s audit follow-up system until the Chief\nInformation Officer has pursued this matter as described above.\n\n\nInventory of Systems\n\nThe agency has not yet completed compilation of a reliable inventory of systems. In\nFY 2005, we reported that the RRB did not have a reliable inventory that identified\ncomponent applications operating in the end-user computing general support\nsystem, the related server locations, or the identification of security administrators.\nAccordingly, we made recommendations to address these issues; implementation of\nwhich is currently pending. 19\n\nFISMA requires that each agency develop, maintain, and annually update their\ninventory of major information systems operated by, or under the control of, the\nagency. This inventory is to include an identification of the interfaces between each\nsystem and all other systems or networks, including those not operated by, or under\nthe control of, the agency.\n\nIn connection with our review of the agency\xe2\x80\x99s security configurations, we noted the\nRRB maintains a separate, special purpose, inventory of servers located in RRB\nheadquarters. This inventory includes data that is not present in the agency\xe2\x80\x99s official\nfixed asset inventory system, including operating system, physical location within the\ndata center, server function, and server status such as \xe2\x80\x9cto be de-commissioned\xe2\x80\x9d or\n\xe2\x80\x9cnot used\xe2\x80\x9d. A comparison of the two inventories and a physical review of individual\nservers revealed several discrepancies in server serial identification numbers, and\neight servers that were missing from the agency\xe2\x80\x99s official fixed asset inventory\nsystem. Additionally, our review of physical servers revealed additional errors in the\nspecial purpose inventory, including incorrect operating system and server status.\n\nComplete, accurate, and reliable inventories of information systems, including\napplications and hardware, strengthen the information security program by\nfacilitating best practices over physical security controls.\n\nRecommendations\n\nWe recommend that the Bureau of Information Services:\n\n      7. Perform a physical inventory of information technology hardware, and update\n         the agency\xe2\x80\x99s official fixed asset inventory system.\n\n      8. Research the possibility of using the agency\xe2\x80\x99s official fixed asset inventory\n         system to track the additional data the Bureau requires, and considers\n         migrating to that inventory system if those requirements can be met.\n\n\n\n19\n     OIG Report No. 05-08, Recommendations 1, 2, and 3.\n\n                                                16\n\x0cManagement\xe2\x80\x99s Responses\n\nThe Bureau of Information Services concurs with Recommendations 7 and 8 and will\nperform a physical inventory for headquarters equipment by September 30, 2007,\nand for field office equipment after the deployment of newly purchased equipment.\nThey will also create procedures for improving control over data collection and entry\ninto the agency\xe2\x80\x99s fixed asset system. Additionally, the Bureau of Information\nServices will use the agency\xe2\x80\x99s official fixed asset inventory system to track the\nadditional data they require.\n\n\n\n\n                                         17\n\x0c\x0c\x0c\x0c\x0c'